Threat Research

Introducing WizOS: Securing Wiz from the ground up with hardened, near-zero-CVE container base images.

WizBlog
Introducing WizOS: Securing Wiz from the ground up with hardened, near-zero-CVE container base images.
EXTRACT IOC
Wiz has developed WizOS, a hardened and minimal container base image designed to eliminate critical vulnerabilities inherited from traditional base images, thereby improving secure software delivery. This solution reduces build pipeline disruptions and enhances developer productivity by standardizing secure foundations across cloud deployments. #Wiz #WizOS

Keypoints

  • Wiz enforces a zero-critical CVE policy for all production code, necessitating hardened container base images to prevent build pipeline failures.
  • WizOS is a new minimal Linux distribution compatible with Alpine but uses glibc instead of musl, aimed at supporting a wider range of applications while maintaining a small footprint.
  • Every component of WizOS is built from source with signing and provenance to ensure full transparency and trustworthiness of container images.
  • Rolling out WizOS across development teams was largely seamless for Alpine-based services, with moderate changes required for Ubuntu/Debian-based systems.
  • Post-rollout, critical and high vulnerabilities in base images dropped to nearly zero, decreasing scanner noise and speeding up CI pipelines.
  • WizOS integration enables better vulnerability tracking and policy enforcement through the Wiz Technology Inventory and security tools.
  • Wiz plans to expand WizOS support to additional base and application-layer images, which are currently available in private preview for customers.

MITRE Techniques

  • [T1574] Hijack Execution Flow – By replacing default container base images with hardened WizOS images, the approach mitigates risks of attackers exploiting vulnerable base layers (“…critical CVEs in base images could halt deployment across dozens of services…”).
  • [T1609] Container Administration Command – Implementing image signing and provenance supports controlled environment builds and secure container deployment (“…Every component in WizOS is built from source, with signing and provenance, so users can ‘trust, but verify’…”).

Indicators of Compromise

  • [File Hashes] Vulnerabilities detected in traditional base images leading to CVE alerts – no specific hashes listed, but critical and high CVE counts were drastically reduced after adopting WizOS.
  • [File Names] Container base images referenced in CI pipelines – Alpine-based images replaced by WizOS images, with Helm charts and Dockerfiles updated accordingly.

Read more: https://www.wiz.io/blog/introducing-wizos-hardened-near-zero-cve-base-images

Views: 40

Tags: CLOUD, CVE, IMPACT, LINUX, VULNERABILITY